grimoirelab icon indicating copy to clipboard operation
grimoirelab copied to clipboard

Published 20 hours ago verified publisher icon chaoss

strenghen "secure" docker deployment

Open mhow2 opened this issue 5 years ago • 3 comments

Hi, I'm aware that for now the docker-compose setup is intended to showcasing the platform. There is even a warning:

Deployed infrastructure following previous steps doesn't provide any security protection on the data generated, so don't use this for production environments or in public access environments.

So it looks a bit confusing to me. On one hand we call it "secured", but on another we're telling that the data is unprotected. I feel that if we keep calling this a "secured" setup we should develop how to strengthen it a little in terms of security, what do you think ?

So the question also boils down to : who have experience in running GL docker stack in production context ?

Some ideas (in bulk):

  • While it's mentioned that the default SG/Kibiter passwords can possibly be changed, it's not detailed how to do it (it's not that straightforward as far as I can see). And also tell by which services are potentially used those credentials.

  • unexpose elasticsearch / port 9200 https://github.com/chaoss/grimoirelab/blob/580fde95ed96cec19e6fdd90618523c6f2a1e934/docker-compose/docker-compose-secured.yml#L29-L30

  • If we keep exposing ES, we could suggest IP filtering by firewall rules and/or a reverse proxy setup

  • Explain a bit more about SSL/TLS:

    • Kibiter: might need a reverse proxy to get a working https:// connectivity
    • ES: use a self-signed certificate by default. Is it good / bad ? Depends if it's exposed... How to change it ? reverse proxy ?
    • same thing for sorting hatsall

In terms of deployment, maybe have something explaining what to do to turn the "demo" into something more specific.

mhow2 avatar Mar 11 '20 10:03 mhow2

Just in case it matters, I'm working on a container with GrimoireLab and the usual servers, using OpenDistro for Elasticsearch / Kibana, thus providing SSL access to Elasticsearch, and (potentially) to Kibana. Stay tuned... This is intended to be a new version of the grimoirelab/full container.

jgbarah avatar Mar 11 '20 18:03 jgbarah

@jgbarah Hello, I don't know if it can be of help, so far I have used https://traefik.io to secure the SSL communication for my containers.

Please also add how to secure Kibiter using the grimoirelab/full container in docker, thank you!

antonionardella avatar Aug 31 '20 13:08 antonionardella

Thx! I dropped the ball in this project, I'll try to come back to it. Thanks for the suggestion.

jgbarah avatar Sep 01 '20 17:09 jgbarah

The current docker compose offers how to use the images with OpenSearch security plugins.

sduenas avatar Oct 27 '23 15:10 sduenas